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To operate in space, the FTS manipulator had to meet the shuttle safety requirements as well as 
the environmental extremes. The safety requirements, as discussed elsewhere in this paper, 
ensure Orbiter and crew safety through fault tolerance requirements. Safety is cited by Shattuck 
and Lowrie (1992) as "the single largest factor driving the system design." Safety and fault 
tolerance requirements resulted in monitoring of joint and Cartesian data, in checking of loop 
times to ensure proper functioning, in cross-strapping along communication paths, and in addition 
of a hardwire control capability as a backup operational mode. Orbiter launch and landing impart 
vibration into the system which requires structural analysis and testing. Electromagnetic 
interference (EMI) must be limited both from invading and from exiting the manipulator systems. 
However, the most demanding aspect of the space environment from the FTS designer's view is 
the thermal vacuum of space. Operation in a hard vacuum (10-5 torr) and over temperatures from 
-50°C to 95°C forces innovative designs, careful material selection, and extensive analysis. 

Another consequence of the space environment is operation in zero-gravity. Designing the 
manipulator for a zero-g environment impacts structural, electromechanical, and electrical power 
considerations and well as the control system design. Because weight is a premium in space, 
motors are chosen to provide torques for zero-g operation. This saves significant weight and 
electrical power when compared to motors chosen for ground-based operation. Smaller motors 
also benefit the thermal control system. The structure must also be lightweight, which increases 
flexibility and lowers structural bending mode frequencies. While being lightweight and more 
flexible, space manipulators are expected to handle payloads more massive than the manipulator. 
This expectation is far different from terrestrial manipulators which usually handle payloads 1/10 
their weight. To maintain stability and performance, a 10:1 ratio is maintained between the first 
bending mode and the control bandwidth. This ratio precludes use of high bandwidth PID servos 
used in more massive, terrestrial manipulators. To address the stability and performance issues in 
the FTS manipulator, the structure was designed for stiffness (12 Hz first bending mode) and the 
manipulator control has a 1.2 Hz bandwidth, an inertia decoupler, and joint-level torque, position, 
and velocity servo loops. 

Manipulator Design and Technologies 

Beyond safety, FTS manipulator design was driven by the thermal environment and the 
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positioning performance specifications. Of course, each manipulator subsystem was influenced 
by additional constraints and specifications. The following paragraphs describe the manipulator 
subsystem designs and technologies developed by Martin Marietta and its subcontractors to 
meet the FTS requirements. Manipulator subsystems discussed include manipulator kinematic 
design, link structure, actuators, control systems, and the end-of-arm tooling. 

Manipulator Kinematics 

A 7-DOF (degree-of-freedom) R-Y-P-P-P-Y-R design is used with the first joint (shoulder roll) 
utilized for task-dependent configuration optimization. The outer 6 joints are actively controlled 
for coordinated output motion. The kinematic design has few joint offsets and 90° twist angles to 
simplify the kinematics. The 6-DOF kinematic arrangement, with three adjacent pitch joints, 
provides a closed-form inverse kinematic solution with few singularities within the manipulator 
workspace. The singularities which occur when the wrist roll or wrist yaw align with the shoulder 
yaw are beyond the usual workspace of the manipulator. Other singularities occurring at joint limits 
and when the elbow passes over the "home" position, shown below, are eliminated with 
mechanical and software joint travel limits. The 3 inch displacement of the elbow joint is to allow 
the arm to fold back on itself for a greater workspace. 


r 


FTS Manipulator - "Home" Position 



Link Structure 

The manipulator links provide structural support as well as joint controller electronics packaging 
and thermal control. Packaging and thermal control determined link sizes while fracture and 
stiffness considerations drove the structural design of the links. A stiffness requirement of 
1,000,000 pounds/foot and 1,000,000 foot-pounds/radian resulted in a smallest structural safety 
margin which exceeds 14, far greater than Shuttle requirement for a 1.4 factor of safety. Easy 
access to electronics is through side plates on the links. To avoid the cost and complication of 
active cooling, radiation is the primary thermal path. The controller boards sit in slots within the 
links which provide conduction paths to the link structure for radiation to the environment. The 
link designs use material coatings, mounting, and Kapton/lnconel film heaters to maintain thermal 
control. 

Actuators 

The joint actuator designs, developed by Martin Marietta and Schaeffer Magnetics, were also 
driven by positioning, performance, and thermal demands. These high-performance, zero 
backlash actuators each house a DC-motor, an harmonic drive transmission, an output torque 
sensor, an output position sensor, a fail-safe brake, hard-stops, and internally routed cabling. The 
design achieves considerable commonality between actuators. Three sizes are used - one for the 
3 shoulder joints, one elbow joint, and one for the 3 wrist joints. 

The DC-motors have brushless, delta-wound stators with samarium cobalt rotors. This design 
offers good thermal properties, low EMI, minimal rotational losses, and linear torque-speed 
relationships. Motor commutation signals are generated from Hall Effect sensors, a second set of 
which is installed for redundancy. A secondary set of windings within the stator, driven via an 
independent electrical path, provides at least 10% rated torque and 0.5 degrees/second joint 
velocity for operation of a backup mode. This degraded mode of operation, commanded joint-by- 
joint, satisfies the need for safing the manipulator after failure of a primary system. Fail-safe brakes 
attached to the motor rotor shaft are spring-loaded so that loss of power engages the brake. 
These brakes may be released with an EVA release bolt, which when turned 90° releases a cam 
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on the brake armature. 


Harmonic drives provide 100:1 backdrivable gear reduction in a compact volume. The harmonic 
drives were chosen with HUlC-series cups and S-tooth profile teeth for torsional stiffness and zero 
backlash. Cup size is determined by joint torsional stiffness requirements. In fact, because of the 
relative flexibility of the harmonic drive, all other torsion members are considered rigid. Rather 
than the standard Oldham coupling to the wave generator, a specially designed cylindrical coupler 
was used to eliminate backlash. Additionally, the output is coupled to a flange around the motor 
and harmonic drive. This flange, mounted to large duplex bearings provides compactness, 
rigidity, and an efficient load path the output link. 

An analog torque loop is implemented in the joint servos to accommodate the non-linear and 
high-frequency affects of the harmonic drives. Sensor values to the torque loop come from an 
output torque sensor embedded on the harmonic drive output flange. Strain gages are mounted 
to the spokes of the titanium flange. This sensor placement isolates the sensor from structural 
toads (bending), thus primarily transmitting actuator torque. For effective performance, this analog 
torque loop operates at 1 500 Hz. 

Like the manipulator structure, actuator housings and bearings were designed for stiffness and 
thermal stability. A standard bearing steel, 440C stainless, Is used for all beanngs. Beanng 
lubricant is Braycote 601, a liquid lubricant used in space applications. Its very low vapor pressure 
allows the actuator to not be sealed, but still designed to resist contamination and assembled in a 
clean room. The motor bearings are deep-groove roller bearings sized for the thrust toad of brake 
engagement and spring pre-loaded to minimize temperature sensitivity. The output bearings are 
large diameter, duplex-pair, angular contact bearings (face-to-face mounting). These bearings 
share radial and thrust loads with another duplex-pair on the other side of the actuator. . An 
exception is the wrist roll, which has a single, duplex pair mounted back-to-back for better rigidity 
against the bending moments of the full cantilever load. Unfortunately, this back-to-back 
installation has greater sensitivity to assembly misalignments. This sensitivity may contribute to 
the excessive, uncompensated friction discovered during recent wrist roll torque loop tests. 

The actuator housings are aluminum and titanium. Titanium is utilized near bearings. The similar 
thermal properties of 440C stainless and 6AI-4V titanium minimize temperature effects on bearing 
pre-loads. These pre-loads were determined as a compromise between stiffness and friction 
drag. The actuator case was designed for thermal needs. Motor and brake heat is dissipated to 
the ends or to the casing and then radiated to the environment. Like the links, the actuator 
design uses thermal isolation, material coatings, and internally mounted film heaters to protect 
bearings from thermal gradients. These gradients could adversely affect actuator friction and 
positioning accuracy. 

The positioning and incremental motion requirements call for encoder data within an arc-minute at 
resolutions to 22-bit sensor. To meet this need, inductive encoders were developed specifically 
for the FTS program by Aerospace Controls Corporation. These encoders have a fine and a 
coarse track used for incremental and absolute position resolution, respectively. Temperature 
effects on sensor accuracy were discovered during thermal testing. These errors were stable and 
repeatable with temperature, and are thus have been corrected in software. 

All cabling in the manipulator is internally routed through links and actuators. Each actuator has a 
cable passageway designed to eliminate twisting of cabling and thus minimizing chafing 
opportunity. The innovative cabling within these actuators is of Flat Conductor Cables (FCC), 
manufactured by Tayco, Inc. FCC is used in space applications, but for this application up to 34 
layers of laminated cables are used in a single actuator passageway. The cables consist of 
alternating layers of Kapton, FEP, and photo etched copper conductors with a vapor-deposited 
copper shield. These cables are to operate from -50°C to 95°C through thousands of cycles. 
These cables rout serial data, video signals, power, and discrete signals. Acceptance tests of a 
few cables indicated minor lamination problems apparently due to entrapped water vapor. 
Investigation of the cable manufacture and test indicated several areas for possible change as well 
as a method for cable repair. Recent cable tests to 100,000 mechanical cycles over full 
temperature ranges verified continued cable functionality. 
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Control Systems 
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system was implemented to provide active control of hazards to meet the payload safety 
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initiates a software reset of a hardware limit value to force a hardware ESD. All these ESD paths 
were analyzed to determine reaction times to various failures such as a joint runaway. Hardware 
ESD’s occur in 1 1 msec, combination ESD's occur in 30 to 206 msec, and a combination ESD may 
take up to 4026 msec for an over-temperature condition. 

Gripper/End-of-Arm Tooling 

The end-of-arm tooling built for the FTS manipulator has a parallel jaw gripper and space for later 
addition of an end-effector exchange mechanism. The gripper fingers are a cruciform designed 
for positive contact and retention because the gripper is backdrivable. The gripper fingers ride on 
a rack and pinion driven by a harmonic drive transmission and a single DC-motor. A pair of fail-safe 
brakes are installed to provide fault tolerance against inadvertent release. Brake failure or brake 
command failure results in a brake defaulting to its engaged position. Each of the two brakes can 
withstand forces greater than expected gripper forces (maximum anticipated load is 30 lb, brake 
hold is 50 lb.). Gripper forces are measure by a torque sensor and also by motor currents. The 
concern over inadvertent release also impacted the design the planned task items. These items 
were instrumented to insure positive grasp. As a final safety measure, the gripper fingers are 
attached with EVA compatible bolts which may be removed on-orbit to release the gripper. 

SAFETY REQUIREMENTS 

Robotic Manipulator Systems can provide the capability to perform work and assist humans in 
space as long as they are safe and reliable. The space based requirements differ significantly from 
terrestrial based manipulators used in industry and research. In most terrestrial robot 
implementations, the prime method for dealing with failures is to keep workers out of the robot 
workspace when active and by accepting the occasional parts damage following a failure due to 
high volume parts fabrication. This approach is not acceptable for space applications where 
humans are involved, and the effect impacts the design requirements for space manipulator 
systems. 

Hazards and Controls 

All manned space flight systems are assessed for flight hazards their use imposes. From such an 
assessment the causes of those hazards are determined, and methods to control those hazards 
are developed. To gain flight acceptance, multiple levels of hazard control must be designed for 
and verified for assuring the desired level and coverage of controls. In the FTS system 
development, safe control of hazardous operations forced additional requirements in the design 
of the manipulator system, its interfaces with the Orbiter and the task elements the FTS was to 
demonstrate interaction with. 

The primary hazards associated with the FTS manipulator operations and the three methods for 
providing safe control are listed: 

A) Unplanned contact or impact during operations 

1) Operator and computer control to not command unplanned contact. 

2) Boundary management software operation. 

3) Redundant boundary management software operation in the safety computer 

B) Inadvertent release of hardware 

1) Hardwired enable gripper brake power from independent switch in the aft flight deck 

2) PGSC (Portable General Support Computer: laptop computer) command to release gripper 
Brake #1 

3) Hand controller switch to release gripper Brake #2 

C) Failure to stow for safe Orbiter landing 

1) Normal computer operations (With hardwired control for added reliability) 

2) Jettison via RMS (or EVA if time permits) 

3) EVA operations to stow or jettison 

D) Excessive applied gripper force or torque 

1) Force control using gripper force sensor 

2) Current limiting ESD (Emergency shutdown detection) 

3) Redundant current limiting ESD 

E) Excessive applied manipulator force or torque 

1) Normal control with active Cartesian load from joint torque command 

2) Cartesian force limiting, using wrist force/torque sensor channel A 

3) Redundant Cartesian force limiting, using wrist force/torque sensor channel B. 
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Mission Operation To Control Hazards 

Primary concerns in the design of space manipulator systems have to do with the effects of 
system failures on the crew or vehicle. Operational limitations of use are placed on robotic 
systems that may otherwise be perfectly capable of performing their intended operations. 
Limitation on use are due to the fact that if a system is performing a task and were to have a failure, 
the effect of that failure must not prohibit the intended function from being performed in the time 
frame that that function is critically needed, and any failure must not prohibit any other safety 
related operations from being carried out during its time of criticality.. 

For a system to continue operations after a failure, any remaining operability the system might 
contain must also provide that same capability to make itself safe to the vehicle and crew if it were 
to suffer a failure. Otherwise that additional level of operability would only be allowed for 
temporary use to make the task situation safe, remove the robot from the task area, and then stow 
it in a safe returnable state or eject it so the vehicle can return to Earth. The added operability 
would not be allowed for continued use to proceed with the intended task, except to make the 
situation safe. This is the fundamental concept of hazard control for the Orbiter. 

FTS Fail S afe Operations 

Several FTS configuration descriptions follow below along with design features to address key 
functions which allow for safe operations. The designs comply with NASA's Orbiter safety policy 
and requirements of NSTS 1700.7B with interpreted in NSTS 18798A. In several cases, the 
hardware or software system could not be designed to meet the required levels of fault tolerance 
without significantly complicating the design or dexterity of the manipulator system. Therefore 
reductions in compliance with the safety requirements placed operational limitations on the use of 
the FTS System. The system is considered fail safe; where under any failure the system will not 
cause a catastrophic hazard, and therefore does not jeopardize the safety of the Orbiter or crew. 
The FTS system is not fail-operational. Such a system, after any initial failure, could continue 
normal intended operations since it would still retain the ability to make itself safe after a second 
failure. 


The DTF-1 concept fulfills the first method of hazard control for Orbiter safety using its normal 
modes of operation. If any of the single points of failure occur, normal operations will cease and an 
attempt to safe the manipulator system by use of the hardwired control. Note that hardwired 
control is only a supplement to the first level of hazard control. If the manipulator system cannot 
be safed by use of the hardwire control, the mission will be assessed to determine if enough time 
remains to perform an EVA to safe the manipulator system. If hardwired control cannot safe the 
manipulator system and time does not permit an EVA to safe the manipulator or remove it for 
stowage, then the RMS will grapple the telerobot using the RMS grapple fixture for jettison. This 
is the second method for hazard control. The third method of hazard control to provide two fault 
tolerance for Orbiter safety is EVA operations. Remedial operations could be to remove the 
manipulator, release the gripper and/or release the actuator brakes. This is to allow stowage of the 
manipulator, either into its caging devices or by removal and strapping it in the airlock, or otherwise 
by release into orbit. 

Hardwired Control 

The FTS system incorporates a backup hardwired control capability in the event of a failure which 
precludes closed loop computer control of the manipulator system. The main purpose is to 
minimize the likelihood of having to jettison the system or perform an EVA operation. This has the 
effect of making the computer system, sensor systems, software, servo systems and most other 
hardware single fault tolerant, even though the operations would be significantly dearaded in 
performance. 


Operational use of the hardwired control is limited to safing of the system after a failure, by stowing 
the arm to allow a safe Orbiter return. It allows operator control of individual manipulator joints for 
stowage and for gripper actuation in the event of computer control or motor drive failure. When 
selected, primary power is removed from all manipulator motor and brake drivers while retaining 
power to camera controls. Software recognizes the status of the hardwire control, and commands 
off all motors and brakes, so that return to normal computer operations after hardwired control 
starts with all motors and brakes powered off. 
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Hardwire control is limited to very low joint rates and torques in a two fault tolerant manner. 
Hardwired control is by sequential, joint-by-joint movement, and provided no force 
accommodation to minimize forces imparted into interfaces. Only a limited set of initiated tasks are 
likely to be able to be completed. Emergency shutdown detection (ESD) is not operational during 
hardwired control operation, as the operator can de-power the hardwire drive to stop payload 
motion, and brakes can also be used to stop motion. 

EVA Operations 

Several failures of components employ EVA as the third fault tolerant paths to ensure stowage of 
DTF-1 for safe return of the Orbiter. The manipulator actuators, gripper mechanism, and 
manipulator caging mechanisms represent major groups of such components. 

Failure of a caging mechanism to release the arm for operation would not require EVA for safing 
the manipulator. EVA would be used as the third path for safing the manipulator if more than one 
of the four caging mechanism fail to close. In this case, removal of the manipulator at its shoulder 
interface and either manual release into orbit or stowage in the airlock would be required. 

Failure of a manipulator actuator motor drive electrically or mechanically would require EVA as the 
third fault tolerant path. Mechanical release of the joint actuator brake allows EVA backdrive of the 
joint into the caging position. If a manipulator joint seizes, then EVA is employed as the third fault 
tolerant path to remove the manipulator at the shoulder and release into orbit or stowage in the 
airlock. 

Single-Points Failures: 

There are several single point failures that remain in the FTS system which may lead to failure of 
the manipulator to complete a task, or to stow itself for a safe Orbiter return. For the Orbiter this is 
considered a catastrophic hazard, therefore the requirements for payloads to provide two fault 
tolerant methods of dealing with these effects. 

The FTS single-point failures which lead to an EVA or jettison are few in function, but have 
commonality within the actuator and gripper. These failures are seized bearings or gears, a short 
within the motor winding, or a short or open in a brake winding. 

Safety Critic al Subsystems 

The DTF-1 Flight Experiment of FTS has fifteen different safety critical subsystems and 
equipment groups, as listed. 

Structure Subsystem 
Control 

Data Management and Processing 
Vision 
Software 

End-of-Arm Tooling 
Task Panel Elements 
Hand Controllers 

This is only a listing, descriptions of these subsystems will be presented in a future paper. 


Thermal Control 

Electrical 

Power 

Sensors 

Manipulator 

Electromechanical Devices 
Aft Deck Workstation 
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